Letting spooks into our devices a big call
We need to know how legal access will be managed and if cost to privacy is worth it
As expected, the Turnbull government in Australia will push for laws that open up mobile devices and encrypted services to intelligence agencies and law enforcement, despite criticism that such a move will lessen people’s security online.
New Zealand is the example Australia is following, along with the UK. While the latter country hasn’t had its amended interception laws in place for long, NZ’s Telecommunications (Interception Capability and Security) Act or TICSA arrived in 2013, and was in force the year after.
TICSA means network operators with 4000 customers or more “must ensure that their public telecommunications network has full interception capability”, a spokesperson for the Government Communications Security Bureau (GCSB) explained.
This isn’t a new requirement, but TICSA tried to make the law fit in better with the internet.
Does it mean said network operators must break encryption?
Yes and no: “Full interception capability includes the ability for the network operator to decrypt a telecommunication on the network operator’s public telecommunications network if the content has been encrypted, and the network operator has provided the encryption,” the spokesperson said.
However, it seems larger telcos and internet providers don’t have to sweat over scrambled Whatsapp, Signal and Telegram communications.
“The network operator is not required to decrypt any telecommunication encrypted by a person other than the network operator,” the GCSB said.
How the intercepts are done isn’t specified in the law, but signs are that rather than enforcing weak, breakable encryption for public use like India has, or actually force providers to decrypt communications, bypassing the scrambling of calls and messages is what will happen.
One infosec veteran I spoke to who wished to remain anonymous suggested that surveillance needs to be done as in the past, with Apple, Microsoft, Facebook, Google and others providing a gateway for lawful interception (LI), where police and other agencies log in and present a warrant.
The big difference here is that the LI capability would have to be built into smartphones, tablets and perhaps in a not-so-distant future, added to laptop and desktop computers — and not just in telco and internet provider network equipment.
Once a warrant is served on a telco, or a provider, they would push out a tailored software update to targets’ devices to activate the intercept which will transmit data before it’s encrypted.
This is how LI on mobile devices was done in the past, but then iPhones came along and Apple doesn’t want to back-door its devices, as evident in the San Bernardino case when the company refused to help the FBI.
For a while, government agencies were able break into devices and services thanks to software and hardware bugs — so-called exploits. Increasingly security-conscious vendors are much faster to detect and patch security flaws, making it much harder for agencies to get into devices.
Smartphones’ LIs would be able to pick up a vast amount of information, such as the surveillance target’s exact location, call metadata and content, contacts and much more than was possible to glean from wiretaps in the past. For journalists seeking to protect sources, this is especially worrying.
That, my shadowy infosec contact said, is really the crux of the matter rather than focusing on encryption. While most people believe law enforcement have the right to spy on suspects as part of an investigation, do they realise just how far such surveillance goes?
We need to talk about what it means having spooks inside your smartphone, what they should be allowed to access and snoop on, how the spying should be authorised and what checks and balances there need to be to safeguard people’s privacy — when a security professional who has seen the worst says this, it’s worth taking seriously.
Our Privacy Commissioner John Edwards agreed with this, and pointed out that it’s not clear that adding further LI capability will make a difference in preventing terrorism and other awfulness.
In recent terrorist attacks, intelligence services already had information on suspects, but didn’t use it to prevent the incidents, Edwards said.
The GCSB reported only 22 interception warrants were in force in the 2015/16 year in New Zealand, with a further 15 issued during that same period — very low numbers, Edwards noted.
There are severe risks with adding back doors for interception in smartphones, as hackers and undemocratic regimes will seek to abuse them as well.
Edwards said we never hear the counterfactual to the interception argument, which is what the human and economic cost of weakening the security — and therefore privacy — of people’s devices might be.
In other words, before we jeopardise everyone’s safety and privacy online, we should step back and ask “is it actually worth it?”. The answer might surprise everyone, our politicians included.